Law enforcement authorities from 12 countries arrested four suspects linked to the LockBit ransomware gang, including a developer, a bulletproof hosting service administrator, and two people connected to LockBit activity.

This joint action also led to seizures of LockBit infrastructure servers and involved police officers in Operation Cronos, a task force led by the U.K. National Crime Agency (NCA) behind a global LockBit crackdown and an investigation that began in April 2022.

According to Europol, a suspected LockBit ransomware developer was arrested in August 2024 at the request of French authorities while on holiday outside of Russia.

The same month, the U.K.’s National Crime Agency (NCA) arrested two more individuals linked to LockBit activity: one believed to be associated with a LockBit affiliate, while the second was apprehended on suspicion of money laundering.

In a separate action, at Madrid airport, Spain’s Guardia Civil arrested the administrator of a bulletproof hosting service used to shield LockBit’s infrastructure.

Today, Australia, the United Kingdom, and the United States also revealed sanctions against an individual the UK NCA believes is a prolific LockBit ransomware affiliate linked to Evil Corp.

The United Kingdom sanctioned 15 more Russian nationals involved in Evil Corp’s criminal activities, while the United States sanctioned six individuals and Australia targeted two.

“These actions follow the massive disruption of LockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months,” Europol said.

​Additional LockBit arrests and charges

LockBit emerged in September 2019 and has since claimed responsibility for and been linked to attacks against many high-profile companies and organizations worldwide, including Bank of America, Boeing, the Continental automotive giant, the Italian Internal Revenue Service, and the UK Royal Mail.

In February 2024, Operation Cronos shut down LockBit’s infrastructure and seized 34 servers containing over 2,500 decryption keys that were later used to create a free LockBit 3.0 Black Ransomware decryptor.

The U.S. Department of Justice and the UK NCA estimate that the gang has extorted up to $1 billion following at least 7,000 attacks between June 2022 and February 2024.

Previous arrests of Lockbit ransomware actors (some of them already charged for various offenses) include Mikhail Pavlovich Matveev (aka Wazawaka) in May 2023, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) in February 2024, and Dmitry Yuryevich Khoroshev (aka LockBitSupp and putinkrab) in May 2024.

In July, Russian nationals Ruslan Magomedovich Astamirov and Canadian/Russian national Mikhail Vasiliev also admitted to participating in at least a dozen ransomware attacks as affiliates of the LockBit ransomware-as-a-service operation.

Astamirov was arrested in Arizona in June 2023 and charged with deploying LockBit ransomware. Vasiliev, who was extradited to the United States in June, has already been sentenced to four years in federal prison.